Demystifying SSL Decryption

Palo Alto Firewall

Redouane MEDDANE

The firewall uses a certificate with the role of CA Certificate of Authority to perform SSL
Decryption for outbound traffic.

There are three methods to generate this certificate.

1. Method 1 : Using an external CA. The firewall generates a CSR Certificate Signed
Request with the Public/Private keys, then you submit only the CSR / Public key,
while the Private key is kept on the firewall, finally you upload the generate certificate
with the embedded Public key.

2. Method 2 : You can use a self-signed certificate. The firewall will generate a
Certificate with the Public / Private keys automatically without involving an external
CA.

3. Method 3 : Using an external CA. You generate the CSR or the certifcate with the
Public / Private keys. Then you upload the Certificate with the Public / Private Key.

On Palo Alto Firewall uses the SSL Forward Proxy action in the Decryption Policy for outbound
connection (from an inside PC to an external server).

• PA Firewall splits the original session into two: client<—>PA<—>server

• The original server certificate is spoofed and resigned by PA Firewall

The first method is to generate a Self Signed Root CA certificate on Palo Alto with the Role of
Certificate Authority instead of using an enterprise CA's certificate. Define the Common Name
and optionally Subject Alternative Name. The most important part in this configuration is to
check the option (Certificate Authority), without this option, Palo Alto Firewall will generate a
CSR Certificate Signing Request. This option instructs the Palo Alto Firewall to generate a
certificate with the Role of Certificate Authority so that it can be used to sign other certificates
as shown below.
Once the certificate is generated, you need to edit it and check the option "Forward Trust
Certificate", this option instructs the Palo Alto Firewall to sign the spoofed certificate of the
external server.

Let's test the connection to an internet website.

The second method is to create a CSR, then you generate a digital certificate with the role of
Certificate Authority but signed by another Certificate Authority. In this case the Palo Alto
Firewall will use an intermediate certificate to sign the spoofed server certificate, in other words
the Palo Alto is the Subordinate CA of the Authority CA Server that signed its certificate.

The Certificate Auhtority that you will use to sign the CSR's Palo Alto Firewall is for example your
Enterprise CA.
In this scenario you have two options to generate and submit the CSR, If you want to submit the
CSR into the Enterprise CA, you need to select the option "Signe by : An External Authority
(CSR)" as shown below.

Then you download the CSR. To generate the certificate, access the Enterprise CA and past the
CSR, in this case you must select the Certificate Template "Subordinate Certificate Authority",
then you generate the certificate with the role of Certificate Authority.
The second option which is more simple, the idea is to retrieve the Enterprise CA's certificate +
the corresponding Private Key, then you upload both into the Palo Alto Firewall as shown below.

Once the Enterprise CA's certificate and the private key are uploaded, instead of using the
Option "Signe by : An External Authority (CSR)", you scroll down and you select the Enterprise
CA's certificate you uploaded previously as shown below, and you must also check the option
"Certificate Authority", therefore you instruct the Palo Alto Firewall to generate by itself a
Subordinate Certificate signed by the Enterprise CA's certificate and the private key.
Once the Subordinate Certificate is ready, you check the "Forward Trust Certificate" option.

Let's test a connection to an internet website.

The third method is to use the Enterprise CA's certificate to sign the spoofed certificate of the
external server. To do this, you edit the Enterprise CA certificate you uploaded previously, then
you check the "Forward Trust Certificate" option.
Let’s a connection to an internet website.

In some scenarios, the destination or the external server sends its own certificate signed by an
untrusted CA, with the "Forward Trust Certificate" option, the original certificate issuer is hidden
causing the user to receive a Trusted Certificate signed by Palo Alo Firewall's CA certificate
which is already trusted by internal PCs. To warm the user and display a warning about the
untrusted certificate so that it is up to the user to trust it or not, you need another certificate
with the role of Certificate Authority, but when you generate the certificate that will be used for
untrusted external server, do not sign this certificate with a Trusted Root CA the user's web
browser trust or don’t use the Enterprise CA you used for Forward Trust Certificate.

Instead it is best practice to use a self-signed CA certificate with a significative Common Name
as shown below.
Once the certificate is generated, you need to check the "Forward Untrust Certificate" option as
shown below, this option will instruct the Palo Alto Firewall to sign any untrusted certificate
received from an external server with this certificate so that users are prompted with a warning
when trying to access web sites with untrusted certificates.

Let's test a connection to an untrusted server.

The last and interesting scenario is the case when some legitimate websites are sending their
certificate and the Palo Alto does not trust the Certificate Authority that signs the external
server's certificate, or the server is using certificate chain and the intermediate certificate is
missing from the certificate path the server presented to the Palo Alto Firewall, it cannot trust
the legitimate server and the certificate, the Palo Alto Firewall will presents its Forward Untrust
Certificate to the client and blocks the connection because the option "Block Sessions With
Untrusted CA" is enabled on the Decryption Profile and it's not a good idea to disable it as shown
below.
In order to allow the users to access these legitimate websites with untrusted CA, the idea is to
upload the Root or the Subordinate certificate that signed the website's certificate into the Palo
Alto Firewall.

Once you upload it, you must check the option "Trusted Root CA".
Let’s test the connection to an untrusted server. Now the server’s certificate is spoofed and
signed with the trusted certificate of the Palo Alto Firewall so the Forward Trust Certificate is
applied as expected.